From 240c0995261bc6728f276060d98d9363f84d4b9b Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 12 May 2024 19:58:55 +0100 Subject: [PATCH] users in hosts --- .sops.yaml | 11 +++++++ flake.lock | 40 ++++++++++++++++++++++- flake.nix | 8 ++++- home/sam/common/core/default.nix | 1 + home/sam/common/optional/sops.nix | 23 +++++++++++++ home/sam/nixdev.nix | 1 + hosts/common/core/default.nix | 5 +++ hosts/common/core/sops.nix | 22 +++++++++++++ hosts/common/optional/openssh/default.nix | 22 +++++++++++++ hosts/common/users/sam/default.nix | 25 ++++++++++++++ hosts/common/users/sam/keys/laptop.pub | 1 + hosts/nixdev/default.nix | 25 +++++++++----- secrets.yaml | 32 ++++++++++++++++++ 13 files changed, 205 insertions(+), 11 deletions(-) create mode 100644 .sops.yaml create mode 100644 home/sam/common/optional/sops.nix create mode 100644 hosts/common/core/default.nix create mode 100644 hosts/common/core/sops.nix create mode 100644 hosts/common/optional/openssh/default.nix create mode 100644 hosts/common/users/sam/default.nix create mode 100644 hosts/common/users/sam/keys/laptop.pub create mode 100644 secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..fb4cede --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,11 @@ +keys: + - &users: + - &sam age1z6a934w5cwjge2lchrs7f0a7lp6s30s3tygq3alu7z9zwc8fqs2qdnd4mv + - &hosts: + - &nixdev age136u5hqnlp2mvepjh575yl9346wl08v9jyta9ynhqrawaqpcmldqsu5wns3 +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *sam + - *nixdev diff --git a/flake.lock b/flake.lock index 9bfd4ea..8108c68 100644 --- a/flake.lock +++ b/flake.lock @@ -32,6 +32,22 @@ "type": "indirect" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1715458492, + "narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8e47858badee5594292921c2668c11004c3b0142", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1714906307, @@ -52,7 +68,29 @@ "inputs": { "home-manager": "home-manager", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable" + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1715482972, + "narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=", + "owner": "mic92", + "repo": "sops-nix", + "rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e", + "type": "github" + }, + "original": { + "owner": "mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index ecd4ac7..21a306b 100644 --- a/flake.nix +++ b/flake.nix @@ -12,6 +12,12 @@ # Home manager home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + # Secrets management + sops-nix = { + url = "github:mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { @@ -68,7 +74,7 @@ # FIXME replace with your username@hostname "sam@nixdev" = home-manager.lib.homeManagerConfiguration { pkgs = nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance - extraSpecialArgs = {inherit inputs outputs;}; + extraSpecialArgs = {inherit inputs outputs ;}; modules = [ # > Our main home-manager configuration file < ./home/sam/nixdev.nix diff --git a/home/sam/common/core/default.nix b/home/sam/common/core/default.nix index 7bc6abd..3450e44 100644 --- a/home/sam/common/core/default.nix +++ b/home/sam/common/core/default.nix @@ -15,6 +15,7 @@ pkgs.kitty pkgs.zathura pkgs.xfce.thunar + #pkgs.age ]; programs.zsh = { diff --git a/home/sam/common/optional/sops.nix b/home/sam/common/optional/sops.nix new file mode 100644 index 0000000..7aacc63 --- /dev/null +++ b/home/sam/common/optional/sops.nix @@ -0,0 +1,23 @@ +{ inputs, config, ... }: +let + secretsFile = ../../../../secrets.yaml; + homeDirectory = config.home.homeDirectory; +in +{ + imports = [ + inputs.sops-nix.homeManagerModules.sops + ]; + + sops = { + age.keyFile = "${homeDirectory}/.config/sops/age/keys.txt"; + + defaultSopsFile = "${secretsFile}"; + validateSopsFiles = false; + + secrets = { + "ssh_keys/sam" = { + path = "${homeDirectory}/.ssh/sam"; + }; + }; + }; +} diff --git a/home/sam/nixdev.nix b/home/sam/nixdev.nix index a4f522d..dba953b 100644 --- a/home/sam/nixdev.nix +++ b/home/sam/nixdev.nix @@ -8,6 +8,7 @@ ./common/core ./common/optional/desktop/hyprland ./common/optional/desktop/waybar.nix + ./common/optional/sops.nix ]; # ------ diff --git a/hosts/common/core/default.nix b/hosts/common/core/default.nix new file mode 100644 index 0000000..e42f28e --- /dev/null +++ b/hosts/common/core/default.nix @@ -0,0 +1,5 @@ +{pkgs, ...}: { + imports = [ + ./sops.nix + ]; +} diff --git a/hosts/common/core/sops.nix b/hosts/common/core/sops.nix new file mode 100644 index 0000000..d313dde --- /dev/null +++ b/hosts/common/core/sops.nix @@ -0,0 +1,22 @@ +{ pkgs, inputs, config, configVars, ... }: +let + secretsDirectory = ../../../secrets.yaml; + secretsFile = "${secretsDirectory}/secrets.yaml"; + homeDirectory = "/home/${configVars.username}"; +in +{ + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + sops = { + defaultSopsFile = "${secretsFile}"; + validateSopsFiles = false; + + age = { + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + }; +} diff --git a/hosts/common/optional/openssh/default.nix b/hosts/common/optional/openssh/default.nix new file mode 100644 index 0000000..8a1b948 --- /dev/null +++ b/hosts/common/optional/openssh/default.nix @@ -0,0 +1,22 @@ +{ lib, config, ... }: +let + sshPort = 22; +in + +{ + services.openssh = { + enable = true; + ports = [ sshPort ]; + + settings = { + # Harden + PasswordAuthentication = true; + PermitRootLogin = "no"; + # Automatically remove stale sockets + StreamLocalBindUnlink = "yes"; + }; + + }; + + networking.firewall.allowedTCPPorts = [ sshPort ]; +} diff --git a/hosts/common/users/sam/default.nix b/hosts/common/users/sam/default.nix new file mode 100644 index 0000000..d2c002f --- /dev/null +++ b/hosts/common/users/sam/default.nix @@ -0,0 +1,25 @@ +{ pkgs, inputs, config, lib, ... }: +{ + users.users.sam = { + isNormalUser = true; + password = "nixos"; # Overridden if sops is working + shell = pkgs.zsh; # default shell + + extraGroups = [ + "wheel" + "docker" + "git" + "networkmanager" + ]; + + }; + + programs.zsh.enable = true; + + environment.systemPackages = [ + pkgs.rsync + pkgs.curl + pkgs.tmux + pkgs.neovim + ]; +} diff --git a/hosts/common/users/sam/keys/laptop.pub b/hosts/common/users/sam/keys/laptop.pub new file mode 100644 index 0000000..43c4bc0 --- /dev/null +++ b/hosts/common/users/sam/keys/laptop.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgPtDNQEN97mnrq/v9RPMUaSjLpIaF/ga/L41xETB9h0y5jdpPUMbZ6uTV6vW8Vm1YW2tzEs2l1lxb9yTrsK8hdVfz8/vWvDSbsUIJn3gOQSOTNQ+nNFFYlKqNhypK+3Mn8BD7EeJaLNK8Ahr/87PS0c/B5YN+TcntsEZpsXF7U2CCqMh559JXp1byie7DuwTYUdvjdDtCidYNphGoEljuzID+lJFBYsaa5SQFlmrr7HcQfaE/MwyxyPRryRnlO7E9k12BrL56UONYycyTf4dyK9MnhhO0wAkIoHyd46/sAdgvNrloY4I+WLjUOqKY6vys8kxG7xNcmN5XfeDJXrPMhW5N0Kz2dc/Yu8SOG8weCiz7uuDjcxYz9eK5cxKgg37A+drbgddoHTi7GCM5Q6wN2Jlig0++6Xo2CGOUKpNOmGBRGAjlIByXYWu1KFRBVclXZES/g38274gRihVk3WCbtLEUafS7wsl8ruMmecU7rhDL7fITd2hWvBkONpA7RxLlMTBfMAEXuq4hOystGZeZj7KusPG4purJDtT+3rCcl5LZ8cn4G5fvINTbXeix5pOz/TdSGNTSJW7ML2W0W6Q+2kVO0l2N/+6IA/rPa4j+AwTODBxWkWVHEBRncJ5hIh5iFz+dSnmllkwOi41tbDFmdGuDeyQ0dsq4wXrBzXGfxw== samual.shop@protonmail.com :: laptop diff --git a/hosts/nixdev/default.nix b/hosts/nixdev/default.nix index e410bec..211117a 100644 --- a/hosts/nixdev/default.nix +++ b/hosts/nixdev/default.nix @@ -1,12 +1,21 @@ -{ inputs, config, lib, pkgs, outputs, ... }: +{ inputs, config, lib, pkgs, outputs, configLib, ... }: { imports = [ + # Import core options ./hardware-configuration.nix + ../common/core + + # Import optional options ../common/optional/pipewire.nix ../common/optional/hyprland.nix ../common/optional/displayManager/sddm.nix + ../common/optional/openssh + + # Create users for this host + ../common/users/sam + ]; nixpkgs = { @@ -45,12 +54,12 @@ services.libinput.enable = true; - users.users.sam = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - }; +# users.users.sam = { +# isNormalUser = true; +# extraGroups = [ "wheel" ]; +# }; - users.users.sam.shell = pkgs.zsh; +# users.users.sam.shell = pkgs.zsh; environment.systemPackages = with pkgs; [ # curl @@ -81,14 +90,12 @@ enableSSHSupport = true; }; - programs.zsh.enable = true; - +# programs.zsh.enable = true; hardware = { opengl.enable = true; nvidia.modesetting.enable = true; }; - services.openssh.enable = true; system.stateVersion = "23.11"; diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..4612e8f --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,32 @@ +ssh_keys: + sam: ENC[AES256_GCM,data:kxUxu5TLJMYfJHLm1AoFkD8xYgxyj7kE8/cEVbm/BvvzPUCe2gvwrZpdEkPBRDMyOQk569szohQ5txPXLj/dYZpAqabqDCr2yNTNPTiOZX7mUp6tH8vWUUmoMRVpJFwdHpanmC8BaKWjgR4E/X293iVQiZ4pQz5QFaMzBQtnZehwNOKgBHIc8Ll/MTu17DmzVQSxrdK/jakBwVfsdV+NTZfGEXjTC5UlvoyeIyODuIiAifvFcB6n/mxxZ4rXHBYZrC0IusDgWvJ74GdYrNaIwnQIwEkWEyhKncDBJehWvlSabsYI02nW41BSMUgA+r/Lu1KwAU83QgW74FRBeC4ZEoL2cRMPTTJP69O3TqJ3CeWOSq1kHScpsSEP/8sGoDS5rX7WQFyHky5oecZlTvjNnklRztnftXL/rsFNOSouFoaAQGU5ay+7y7K8bAsveZVyImyCdGlf+864RxL1wD/oz1DIiYE/gR19bGPRJumDlBOufEHCH0ONU+8PZwpLMMpFVZ3HEMQYsva4eKZfMd5W,iv:X0yg22/dPbSAUmTcb8lePZ403RI6oGNELTZFI6y68AQ=,tag:YfTESEm2GWJApi7LOvY8RA==,type:str] +sam-password: ENC[AES256_GCM,data:2TObp9d8fvWWsKyTVqNqSabhmcA+ZVo5N1qmn8N15ZXhb9G4sdfkPspnCZmxZ+FttfTvNYG8ZwcDzBAx2XbR8jRwGxljZaoBXQ==,iv:mysxYtfrE8KEkK0qO1C4+FgJYuWsKvsYVMAYRD0FW/Q=,tag:5LNmkZn1msT6n18BLLP4vA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1z6a934w5cwjge2lchrs7f0a7lp6s30s3tygq3alu7z9zwc8fqs2qdnd4mv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYbE1DejdDSTVhVmdrTC9r + Y3BLLytPem90UnUvQkpCZ3NMaFBhYytWUndzCkNUWElDOVVwc0dhWFRWL2ZFQXV4 + Qi9PdDdqZHR2S2JkeXdEL3RQbXVQREkKLS0tIE5JcHVlTS9LellRM08wZUpiRS9Y + cE5LK1llSXVhYWVzUjg0Z0VoQVJIMDAKt+bCXwj6jMLiRDS+/4K3+z+8nc3lUFli + WWRVNOTUZT8Ckt5UjHWrZ/FOfgCupGiDD9Imsx1x37cgN0P88vib/A== + -----END AGE ENCRYPTED FILE----- + - recipient: age136u5hqnlp2mvepjh575yl9346wl08v9jyta9ynhqrawaqpcmldqsu5wns3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlOG1jTEZYMmdFMWxzWGxE + cWp2QlM2N1hxYTlmN0NnRzJKczI4OWRtUW5nCmQ2YVB3SkNxVlFwL3ZVNm03K2U3 + SFdDU1JXTXJjM1M5UzV1ckoyRGQ5R0EKLS0tIHFsSnk5VWlReW1VZmYvMW50OGJr + ZE90dTRDQWdUL0FXNC9IWFhKcEhocG8KF4F5wAnkwF2gfGa3jt2OHseY4NlqHqf2 + /g2Huk8W6pni2K3XOnIrb+89JQaafI8AJgaBLl6kMrsGHx5Jqa2HjQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-12T17:16:39Z" + mac: ENC[AES256_GCM,data:WapNxbYGJC5P07Wh7L7N5na0k6/bNTtQLr0BZWlWBUObwVeCnP2ALBx0RcR34f5fQYGheM6W076AEmMBlmcKmGd8TFoxXikl4ZlCPumD6mp+f49V/YWSEzGKtoAKvdaG2D/1tV37INh/OV6fqyXapZkEEVc25AgjKwzYY8wdM4M=,iv:JDHwLh+Fuhs4WOmZU9/dyKbtH2dC7Adj/vt9/Tci6VM=,tag:qqjhwiYC8x6I1AkvZhyVSA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1